Main Vulnerability Database Vulnerabilities #VU128083

OS Command Injection in gogs - CVE-2022-1986

Published: June 8, 2022 / Updated: April 27, 2026

Vulnerability identifier: #VU128083

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-1986

CWE-ID: CWE-78

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
gogs

Software vendor:
gogs.io

Description

The vulnerability allows a remote user to gain SSH access to the server.

The vulnerability exists due to command injection in the file editor when updating a crafted config file into a repository's .git directory in combination with crafted file deletion. A remote user can upload and delete crafted files to gain SSH access to the server.

Only installations with repository upload enabled are vulnerable.

Remediation

Install security update from vendor's website.

External links

https://github.com/gogs/gogs/security/advisories/GHSA-67mx-jc2f-jgjm

OS Command Injection in gogs - CVE-2022-1986

Description

Remediation

External links

Please verify you're human